Throughout my career I’ve encountered many leadership styles. Leadership has always been an aspiration of mine, both because part of success is lifting others and because I have a strong interest in psychology. As a passionate co-worker, a mentor, and then a formal leader, I’ve tested what works and what does not in the organizations I’ve been a part of.
Hackers, more specifically, offensive security practitioners are some of the most interesting, brightest people I’ve worked with and led. However, they also come with their own challenges. Add a remote workplace, a heavily client-facing role, and the pressure of performing offensive security services or safeguarding an organization’s security posture into the mix, and in many organizations I’ve seen, team meetings can devolve into an hour or two of the leader talking while others zone out. The exception is when something significant happens and the meeting turns into a press style Q&A.
So how does team building fail?
How does team building fail?
Let’s discover the answer to that question by analyzing two common team building exercises.
Movie Hour / Happy Hour
A classic. I have fond memories of some Fridays at prior office with “Hackers” projected on the wall.
In a remote setting, happy hours or dinners outside a retreat are rarely well received. Expecting connection through a screen, while an employee sits where they work and live, when they could be working or relaxing is unrealistic. In person happy hours and dinners also pull people from their families and hobbies and tend to feel like a requirement, one they may not enjoy.
Most Interesting Finding
I’ve explored this more times than I’d like to admit. It is a game of show and tell where a team member shows and talks about a finding they are most proud of or found most interesting since the last round. To encourage participation, I’ve offered recognition such as formal shoutouts and small personal swag. I’ve selected winners myself and I’ve let the team vote anonymously. Every time, within a few cycles, the same few people win or even bother to submit. Even when submission is a hard requirement, entries get missed or receive minimal effort. In other words, participation often drops off, even if it’s required.
Distilled root causes: imposter syndrome and lack of value.
Some practitioners, myself included in past roles have felt that being pulled off assigned work for movies or drinks offered little value. If you make it optional, those who opt out for reasons such as, a dark office or a projected movie breaks focus, they aren’t interested, they’re stressed about deadlines, or they’d rather go home an hour earlier, end up feeling like they’re missing out. That sends an unintended in group signal.
With “most interesting finding,” strengths differ and engagements vary in difficulty, scope and many other aspects. If one person is testing a less mature internal application., the likelihood of finding RCE is higher than for someone on an external engagement against a very mature organization.
If we as an industry accept that impact and number of findings don’t reflect overall ability or effort, comparing them won’t either. The likely outcome is amplifying imposter syndrome; the opposite of team building.
What actually works
Two exercises that strengthen teams in a remote technical workplace:
Passive support from the team
Team building doesn’t happen in once a month Friday 4 p.m. events. It happens continuously. The goal is a culture where people are confident not knowing everything and comfortable reaching out to teammates when they feel that way.
One effective approach is: Maintain a communication channel outside the broader team channel, a private team only knowledge stream. Everyone, including the leader, has a hard requirement to post a technique, tool, or lecture (TTL) every week. Summaries, presentations, tag inclusions, or even to have read the link is not required. Just the link.
Why it works:
— Reinforces keeping ears to the tracks and close to the bleeding edge.
— Creates a long-term, easily searchable place to stash what works.
— Stores “learn-next” items such as things to test or study later in one place.
— Triggers organic discussion around directly applicable TTLs.
— Enables organic discovery of topics, interests, and specialties, giving teammates a base for conversation with each other.
— Gives leadership a tangible signal of continuous learning for reviews, raises, and promotions.
— Gives leadership insight into where a team member may want to research, specialize, cross-train, or pivot.
— Most importantly: lets the team build something together, brick by brick, with minimal overhead.
Informal team mid-depth discussions
Everyone brings something unique. As part of team meetings, pick a topic from a running list the leader curates, with all team members able to add items anonymously. The leader introduces the topic, then steps back and facilitates rather than lectures. The team shares thoughts, opinions, and experiences on subjects no one is expected to have memorized or prepped for. People learn others’ interests, backgrounds, and perspectives, or even just what their teammates sound like, without any “called to the front of the class” or “pop quiz” feeling. This also works the soft-skills muscles needed to communicate across co-workers, departments, and clients.
Examples:
— Topic: Lessons Learned – Each member of the team defined what lessons learned is, identified individual value in that phase of an engaement, highlighted areas for improvement, and clarified who benefits and why. We examined why it often feels important only when there was an issue.
— Hacker Culture: we discussed the roots of “hacker,” from Cult of the Dead Cow to LulzSec to penetration testing and onward.
Implementation guidance:
Set expectations
— All team members participate.
— Anyone can submit a topic.
— Not a debate; a sharing of perspectives and ideas.
— No individual follow-up and no test; you are not being held to what we discuss.
— Disagreement is acceptable.
— Often there is no single right answer; alignment is not the objective.
Guardrails and facilitation
The leader keeps discussions on track and professional. When a rabbit hole starts, park it: “This is getting off track but worth discussing; adding it to the future topics list.” Unprofessionalism is unlikely to occur, but the leader should be prepared to redirect many times.
Lead by example
Listen. Absorb. Ask questions. State agreements. Correct inaccuracies. Don’t challenge without an open mind. The team will follow suit. These discussions create real value for the team and for you as a leader. You gain meaningful insight about your people.
Schedule with intent
— Friday at 4 p.m. is when people care least. Late day and close to the weekend, focus drops. In crunch time, people are finishing deliverables or preparing reports.
— Ad-hoc sessions can spark strong discussions; use sparingly and never to check who is “available.” If that’s the mindset, address deeper issues another way. It’s risky to use team meetings for anything other than their purpose.
— The sweet spot is Tuesday through Thursday, either after lunch or about an hour after the workday begins. This works because it’s early enough not to break flow and late enough for people to re-enter flow once the meeting ends.
This topic is heavily discussed across the industry; these are the patterns that consistently work.
Caveat: two examples of what fails and two of what works won’t solve everything. Future articles will cover reinforcing topics such as properly communicating genuineness, when and how to celebrate wins and work through losses, and other aspects that support team building.
Opinions are my own and do not reflect any employer or client. Examples are composites; no client information is disclosed. Written on personal time and personal resources.